To GUI or not to GUI

[Frater]

This morning Zabbix notified me that none of the SMTP-services were running on our Plesk 10.4.x server, which means Postfix somehow crashed. This was since 4:30 this morning.

I wasn't able to start postfix either...
It turns out that a Plesk update turned on port 587 last night although it was disabled in /etc/postfix/master.cf
The Plesk update made a new line in that file (in a very ugly way I might add)....

When Plesk was delivered to us as a Xen virtual machine by our ISP we noticed that "SMTP-AUTH" wasn't listening on port 587. We told them so and they fixed it by switching from Postfix to Qmail. It seems there is an option in Plesk's management console to turn port 587 on or off when Qmail is the default server. This option is not there when it is Postfix.
I told them I didn't like Qmail and wanted Postfix because logging in Qmail is a bit awkward (personal taste).
They switched it back to Postfix and to our surprise it was still listening to port 587.
The switch in the Plesk console was gone. It didn't feel good, but well....

We started to migrate users from other Plesk servers, but then we started getting problems with Apples (not the fruit, but computers from a company that claims to be original although they even stole their company name from another one http://en.wikipedia.org/wiki/Apple_Corps )
The apples didn't like how SMTP-AUTH was setup with Plesk/Postfix.
During troubleshooting I noticed that "AUTH" isn't offered by Postfix after the Client's EHLO. It only offered this after a STARTTLS which is more clever, but somehow too clever for Apple Mail which then thinks it doesn't support authentication.

Because I was already running ASSP on that machine, a reverse SMTP-proxy (http://en.wikipedia.org/wiki/Anti-Spam_SMTP_Proxy), it was quite easy to let that handle port 587 and turn it off in /etc/postfix/master.cf. Again it didn't feel good, but there was NO option anymore in the Plesk's WebIF after switching back to postfix.

Turning off "SMTP-AUTH" again in Postfix and restarting both ASSP and Postfix did the trick and everything's running again.

The reason why we have Plesk is that it provides a management platform and that it controls all these services with the best overall settings and lets us control some custom settings using the webIF.

Could we therefore get an option in Plesk for turning on/off SMTP-AUTH?

Can you tell me which file I need to change to turn off SMTP-AUTH for Plesk until such an option is made available in Plesk's webif? I don't want another Plesk update to turn it back on again....

I would also like to know why this line was added last night?

 

[Frater]

---------------------------------------------------------------
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Panel 10.4.4 Update #13
CentOS Linux 2.6.18-274.7.1.el5xen
Postfix
xen VM


PROBLEM DESCRIPTION AND STEPS TO REPRODUCE

After this microupdate my /etc/postfix/master.cf gets overwritten.
It enables SMTP-AUTH, but I turned this off because it didn't work well with Apple Mail.
Because I have something else running on port 587 postfix will not restart anymore.


ACTUAL RESULT

Because I have something else running on port 587 postfix will not restart anymore.

EXPECTED RESULT

Because mail is coming from its own network, it should NOT do any SPF-checking (nor any other sender checking).

ANY ADDITIONAL INFORMATION

SMTP-AUTH was enabled in the GUI when Plesk was running Qmail.
There is no way of enabling / disabling SMTP-AUTH in the GUI since upgrading to postfix.

I want this checkbox back and/or a manual workaround so I can tell Plesk it shouldn't do Port 587.

--------------------------------------------------------------

 

[IgorG]

What about solution from http://forum.parallels.com/showpost.php?p=435667&postcount=8 ?

 

[Frater]

I did some tests with that, but couldn't get a satisfactory result with that either....
I was under time pressure as many clients couldn't get their mail out.

Letting ASSP handle port 587 did the trick and we haven't had issues again since.
I can't afford experimenting with it....

I now just want Plesk to leave SMTP-AUTH alone.
Port 587 was turned off on its virgin install....
I believe SMTP-AUTH is handled by xinetd in the Qmail-config.


I assume this microupdate doesn't just turn on port 587 on all servers?

Postfix doesn't run if it can't get hold of all the sockets.. ASSP is more flexible and just doesn't start that service.

 

[Frater]

I don't want Postfix to add a "submission" line to my /etc/postfix/master.cf
If it does this, my postfix doesn't run

Where can I turn this off please?????????????

If I stop and start Postfix with the webif (for example) it adds these lines (beginning with 2 blank lines)

smtp inet n - n - - smtpd
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=

 

[Frater]

Because Parallels doesn't come with a solution I created this watchdog that will delete the line with submission if a "Plesk mail-restart" occurs....


# cat /etc/cron.1min/watch-postfix

#!/bin/sh
# watchdog for postfix
netstat -lnt | grep -q ':25 ' && exit
sleep 25
netstat -lnt | grep -q ':25 ' && exit
/etc/init.d/postfix stop
sleep 5
# If Plesk has put a line with 'submission' into /etc/postfix/master.cf revert this
if grep -q '^submission' /etc/postfix/master.cf ; then
  cp -p /etc/postfix/master.cf /etc/postfix/master.cf.`date +%Y.%m.%d..%H.%M`
  sed -i '/^$/d' /etc/postfix/master.cf                          # remove ugly empty lines
  sed -i 's/^submission/#submission/g' /etc/postfix/master.cf    # remove submission line
fi
/etc/init.d/postfix start

 

[jprince]

Hi.
Not sure if this helps, however you should be able to turn off..
Tools & Settings -> Mail Server Settings -> Enable message submission (Uncheck this )..

Take Care.
--jp

 

[burnleyvic]

Best bet Frater, don't use Tools & Settings -> Mail Server Setting when using Postfix. I bit it several times because of their broken Postfix integration and now I'm maintaining most of Postfix configuration outside Plesk. The problem now is that I have to monitor the changed files since their smart*5s installer insists to modify main.cf and master.cf when Plesk is upgraded.
L.E. About that specific submission entry: I don't think you should go that far with that watchdog. You should disable that proxy service on port 587 and remove, if this is *really* what you want, the TLS enforcement from the smtpd configuration listening on 587 port. That line should look like this (one line):
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticate d,reject -o smtpd_sender_restrictions=

 

[Frater]

L.E. About that specific submission entry: I don't think you should go that far with that watchdog. You should disable that proxy service on port 587 and remove, if this is *really* what you want, the TLS enforcement from the smtpd configuration listening on 587 port. That line should look like this (one line):
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticate d,reject -o smtpd_sender_restrictions=

I appreciate your suggestion, but at the time I decided to let ASSP handle port 587, I came to the conclusion it does a much better job than postfix itself. I tried that setting too (not 100% sure it's exactly that setting).
I don't want all those Apple users on my neck again, although I can't imagine they can have this problem with postfix....

But anyhow...
Wouldn't Plesk write its own line there after each restart anyhow and overwriting that custom submission line?
This is what Plesk wants:

submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=


I have 2 other Plesk/Postfix servers and because those never had a switch to Qmail they don't want to handle port 587.
It's a shame I can't change that parameter in the Plesk webif and it's even worse I'm not getting a response from Parallels how to turn this off in their psa database where it's most probably stored.

 

[Frater]

Hi.
Not sure if this helps, however you should be able to turn off..
Tools & Settings -> Mail Server Settings -> Enable message submission (Uncheck this )..

Take Care.
--jp

Thanks, but that's the whole point of this thread.....
That checkbox is only there when Qmail is the MTA

 

[jprince]

Hello Frater.
Interesting.
I have a fresh 10.4.x install, currently at 10.4.4 with micro..18.
The option is there on my installation.. and I am using postfix.


--jp